PageRenderTime 222ms CodeModel.GetById 60ms app.highlight 60ms RepoModel.GetById 61ms app.codeStats 0ms

/gecko_api/include/cmst.h

http://firefox-mac-pdf.googlecode.com/
C++ Header | 534 lines | 281 code | 63 blank | 190 comment | 0 complexity | 65eb9f25a5293216068b288ebfbb3a51 MD5 | raw file
  1/* ***** BEGIN LICENSE BLOCK *****
  2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  3 *
  4 * The contents of this file are subject to the Mozilla Public License Version
  5 * 1.1 (the "License"); you may not use this file except in compliance with
  6 * the License. You may obtain a copy of the License at
  7 * http://www.mozilla.org/MPL/
  8 *
  9 * Software distributed under the License is distributed on an "AS IS" basis,
 10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 11 * for the specific language governing rights and limitations under the
 12 * License.
 13 *
 14 * The Original Code is the Netscape security libraries.
 15 *
 16 * The Initial Developer of the Original Code is
 17 * Netscape Communications Corporation.
 18 * Portions created by the Initial Developer are Copyright (C) 1994-2000
 19 * the Initial Developer. All Rights Reserved.
 20 *
 21 * Contributor(s):
 22 *
 23 * Alternatively, the contents of this file may be used under the terms of
 24 * either the GNU General Public License Version 2 or later (the "GPL"), or
 25 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 26 * in which case the provisions of the GPL or the LGPL are applicable instead
 27 * of those above. If you wish to allow use of your version of this file only
 28 * under the terms of either the GPL or the LGPL, and not to allow others to
 29 * use your version of this file under the terms of the MPL, indicate your
 30 * decision by deleting the provisions above and replace them with the notice
 31 * and other provisions required by the GPL or the LGPL. If you do not delete
 32 * the provisions above, a recipient may use your version of this file under
 33 * the terms of any one of the MPL, the GPL or the LGPL.
 34 *
 35 * ***** END LICENSE BLOCK ***** */
 36
 37/*
 38 * Header for CMS types.
 39 *
 40 * $Id: cmst.h,v 1.10 2005/06/27 22:21:19 julien.pierre.bugs%sun.com Exp $
 41 */
 42
 43#ifndef _CMST_H_
 44#define _CMST_H_
 45
 46#include "seccomon.h"
 47#include "secoidt.h"
 48#include "certt.h"
 49#include "secmodt.h"
 50#include "secmodt.h"
 51
 52#include "plarena.h"
 53
 54/* Non-opaque objects.  NOTE, though: I want them to be treated as
 55 * opaque as much as possible.  If I could hide them completely,
 56 * I would.  (I tried, but ran into trouble that was taking me too
 57 * much time to get out of.)  I still intend to try to do so.
 58 * In fact, the only type that "outsiders" should even *name* is
 59 * NSSCMSMessage, and they should not reference its fields.
 60 */
 61/* rjr: PKCS #11 cert handling (pk11cert.c) does use NSSCMSRecipientInfo's.
 62 * This is because when we search the recipient list for the cert and key we
 63 * want, we need to invert the order of the loops we used to have. The old
 64 * loops were:
 65 *
 66 *  For each recipient {
 67 *       find_cert = PK11_Find_AllCert(recipient->issuerSN);
 68 *       [which unrolls to... ]
 69 *       For each slot {
 70 *            Log into slot;
 71 *            search slot for cert;
 72 *      }
 73 *  }
 74 *
 75 *  the new loop searchs all the recipients at once on a slot. this allows
 76 *  PKCS #11 to order slots in such a way that logout slots don't get checked
 77 *  if we can find the cert on a logged in slot. This eliminates lots of
 78 *  spurious password prompts when smart cards are installed... so why this
 79 *  comment? If you make NSSCMSRecipientInfo completely opaque, you need
 80 *  to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
 81 *  and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
 82 *  function.
 83 */
 84
 85typedef struct NSSCMSMessageStr NSSCMSMessage;
 86
 87typedef union NSSCMSContentUnion NSSCMSContent;
 88typedef struct NSSCMSContentInfoStr NSSCMSContentInfo;
 89
 90typedef struct NSSCMSSignedDataStr NSSCMSSignedData;
 91typedef struct NSSCMSSignerInfoStr NSSCMSSignerInfo;
 92typedef struct NSSCMSSignerIdentifierStr NSSCMSSignerIdentifier;
 93
 94typedef struct NSSCMSEnvelopedDataStr NSSCMSEnvelopedData;
 95typedef struct NSSCMSOriginatorInfoStr NSSCMSOriginatorInfo;
 96typedef struct NSSCMSRecipientInfoStr NSSCMSRecipientInfo;
 97
 98typedef struct NSSCMSDigestedDataStr NSSCMSDigestedData;
 99typedef struct NSSCMSEncryptedDataStr NSSCMSEncryptedData;
100
101typedef struct NSSCMSSMIMEKEAParametersStr NSSCMSSMIMEKEAParameters;
102
103typedef struct NSSCMSAttributeStr NSSCMSAttribute;
104
105typedef struct NSSCMSDecoderContextStr NSSCMSDecoderContext;
106typedef struct NSSCMSEncoderContextStr NSSCMSEncoderContext;
107
108typedef struct NSSCMSCipherContextStr NSSCMSCipherContext;
109typedef struct NSSCMSDigestContextStr NSSCMSDigestContext;
110
111/*
112 * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart.
113 * If specified, this is where the content bytes (only) will be "sent"
114 * as they are recovered during the decoding.
115 * And:
116 * Type of function passed to NSSCMSEncode or NSSCMSEncoderStart.
117 * This is where the DER-encoded bytes will be "sent".
118 *
119 * XXX Should just combine this with NSSCMSEncoderContentCallback type
120 * and use a simpler, common name.
121 */
122typedef void (*NSSCMSContentCallback)(void *arg, const char *buf, unsigned long len);
123
124/*
125 * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart
126 * to retrieve the decryption key.  This function is intended to be
127 * used for EncryptedData content info's which do not have a key available
128 * in a certificate, etc.
129 */
130typedef PK11SymKey *(*NSSCMSGetDecryptKeyCallback)(void *arg, SECAlgorithmID *algid);
131
132
133/* =============================================================================
134 * ENCAPSULATED CONTENTINFO & CONTENTINFO
135 */
136
137union NSSCMSContentUnion {
138    /* either unstructured */
139    SECItem *			data;
140    /* or structured data */
141    NSSCMSDigestedData *	digestedData;
142    NSSCMSEncryptedData	*	encryptedData;
143    NSSCMSEnvelopedData	*	envelopedData;
144    NSSCMSSignedData *		signedData;
145    /* or anonymous pointer to something */
146    void *			pointer;
147};
148
149struct NSSCMSContentInfoStr {
150    SECItem			contentType;
151    NSSCMSContent		content;
152    /* --------- local; not part of encoding --------- */
153    SECOidData *		contentTypeTag;	
154
155    /* additional info for encryptedData and envelopedData */
156    /* we waste this space for signedData and digestedData. sue me. */
157
158    SECAlgorithmID		contentEncAlg;
159    SECItem *			rawContent;		/* encrypted DER, optional */
160							/* XXXX bytes not encrypted, but encoded? */
161    /* --------- local; not part of encoding --------- */
162    PK11SymKey *		bulkkey;		/* bulk encryption key */
163    int				keysize;		/* size of bulk encryption key
164							 * (only used by creation code) */
165    SECOidTag			contentEncAlgTag;	/* oid tag of encryption algorithm
166							 * (only used by creation code) */
167    NSSCMSCipherContext		*ciphcx;		/* context for en/decryption going on */
168    NSSCMSDigestContext		*digcx;			/* context for digesting going on */
169};
170
171/* =============================================================================
172 * MESSAGE
173 */
174
175struct NSSCMSMessageStr {
176    NSSCMSContentInfo	contentInfo;		/* "outer" cinfo */
177    /* --------- local; not part of encoding --------- */
178    PLArenaPool *	poolp;
179    PRBool		poolp_is_ours;
180    int			refCount;
181    /* properties of the "inner" data */
182    SECAlgorithmID **	detached_digestalgs;
183    SECItem **		detached_digests;
184    void *		pwfn_arg;
185    NSSCMSGetDecryptKeyCallback decrypt_key_cb;
186    void *		decrypt_key_cb_arg;
187};
188
189/* =============================================================================
190 * SIGNEDDATA
191 */
192
193struct NSSCMSSignedDataStr {
194    SECItem			version;
195    SECAlgorithmID **		digestAlgorithms;
196    NSSCMSContentInfo		contentInfo;
197    SECItem **			rawCerts;
198    CERTSignedCrl **		crls;
199    NSSCMSSignerInfo **		signerInfos;
200    /* --------- local; not part of encoding --------- */
201    NSSCMSMessage *		cmsg;			/* back pointer to message */
202    SECItem **			digests;
203    CERTCertificate **		certs;
204    CERTCertificateList **	certLists;
205    CERTCertificate **          tempCerts;              /* temporary certs, needed
206                                                         * for example for signature
207                                                         * verification */
208};
209#define NSS_CMS_SIGNED_DATA_VERSION_BASIC	1	/* what we *create* */
210#define NSS_CMS_SIGNED_DATA_VERSION_EXT		3	/* what we *create* */
211
212typedef enum {
213    NSSCMSVS_Unverified = 0,
214    NSSCMSVS_GoodSignature = 1,
215    NSSCMSVS_BadSignature = 2,
216    NSSCMSVS_DigestMismatch = 3,
217    NSSCMSVS_SigningCertNotFound = 4,
218    NSSCMSVS_SigningCertNotTrusted = 5,
219    NSSCMSVS_SignatureAlgorithmUnknown = 6,
220    NSSCMSVS_SignatureAlgorithmUnsupported = 7,
221    NSSCMSVS_MalformedSignature = 8,
222    NSSCMSVS_ProcessingError = 9
223} NSSCMSVerificationStatus;
224
225typedef enum {
226    NSSCMSSignerID_IssuerSN = 0,
227    NSSCMSSignerID_SubjectKeyID = 1
228} NSSCMSSignerIDSelector;
229
230struct NSSCMSSignerIdentifierStr {
231    NSSCMSSignerIDSelector identifierType;
232    union {
233	CERTIssuerAndSN *issuerAndSN;
234	SECItem *subjectKeyID;
235    } id;
236};
237
238struct NSSCMSSignerInfoStr {
239    SECItem			version;
240    NSSCMSSignerIdentifier	signerIdentifier;
241    SECAlgorithmID		digestAlg;
242    NSSCMSAttribute **		authAttr;
243    SECAlgorithmID		digestEncAlg;
244    SECItem			encDigest;
245    NSSCMSAttribute **		unAuthAttr;
246    /* --------- local; not part of encoding --------- */
247    NSSCMSMessage *		cmsg;			/* back pointer to message */
248    CERTCertificate *		cert;
249    CERTCertificateList *	certList;
250    PRTime			signingTime;
251    NSSCMSVerificationStatus	verificationStatus;
252    SECKEYPrivateKey *          signingKey; /* Used if we're using subjKeyID*/
253    SECKEYPublicKey *           pubKey;
254};
255#define NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN	1	/* what we *create* */
256#define NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY	3	/* what we *create* */
257
258typedef enum {
259    NSSCMSCM_None = 0,
260    NSSCMSCM_CertOnly = 1,
261    NSSCMSCM_CertChain = 2,
262    NSSCMSCM_CertChainWithRoot = 3
263} NSSCMSCertChainMode;
264
265/* =============================================================================
266 * ENVELOPED DATA
267 */
268struct NSSCMSEnvelopedDataStr {
269    SECItem			version;
270    NSSCMSOriginatorInfo *	originatorInfo;		/* optional */
271    NSSCMSRecipientInfo **	recipientInfos;
272    NSSCMSContentInfo		contentInfo;
273    NSSCMSAttribute **		unprotectedAttr;
274    /* --------- local; not part of encoding --------- */
275    NSSCMSMessage *		cmsg;			/* back pointer to message */
276};
277#define NSS_CMS_ENVELOPED_DATA_VERSION_REG	0	/* what we *create* */
278#define NSS_CMS_ENVELOPED_DATA_VERSION_ADV	2	/* what we *create* */
279
280struct NSSCMSOriginatorInfoStr {
281    SECItem **			rawCerts;
282    CERTSignedCrl **		crls;
283    /* --------- local; not part of encoding --------- */
284    CERTCertificate **		certs;
285};
286
287/* -----------------------------------------------------------------------------
288 * key transport recipient info
289 */
290typedef enum {
291    NSSCMSRecipientID_IssuerSN = 0,
292    NSSCMSRecipientID_SubjectKeyID = 1,
293    NSSCMSRecipientID_BrandNew = 2
294} NSSCMSRecipientIDSelector;
295
296struct NSSCMSRecipientIdentifierStr {
297    NSSCMSRecipientIDSelector	identifierType;
298    union {
299	CERTIssuerAndSN		*issuerAndSN;
300	SECItem 		*subjectKeyID;
301    } id;
302};
303typedef struct NSSCMSRecipientIdentifierStr NSSCMSRecipientIdentifier;
304
305struct NSSCMSKeyTransRecipientInfoStr {
306    SECItem			version;
307    NSSCMSRecipientIdentifier	recipientIdentifier;
308    SECAlgorithmID		keyEncAlg;
309    SECItem			encKey;
310};
311typedef struct NSSCMSKeyTransRecipientInfoStr NSSCMSKeyTransRecipientInfo;
312
313/*
314 * View comments before NSSCMSRecipientInfoStr for purpose of this
315 * structure.
316 */
317struct NSSCMSKeyTransRecipientInfoExStr {
318    NSSCMSKeyTransRecipientInfo recipientInfo;
319    int version;  /* version of this structure (0) */
320    SECKEYPublicKey *pubKey;
321};
322
323typedef struct NSSCMSKeyTransRecipientInfoExStr NSSCMSKeyTransRecipientInfoEx;
324
325#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN	0	/* what we *create* */
326#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY		2	/* what we *create* */
327
328/* -----------------------------------------------------------------------------
329 * key agreement recipient info
330 */
331struct NSSCMSOriginatorPublicKeyStr {
332    SECAlgorithmID			algorithmIdentifier;
333    SECItem				publicKey;			/* bit string! */
334};
335typedef struct NSSCMSOriginatorPublicKeyStr NSSCMSOriginatorPublicKey;
336
337typedef enum {
338    NSSCMSOriginatorIDOrKey_IssuerSN = 0,
339    NSSCMSOriginatorIDOrKey_SubjectKeyID = 1,
340    NSSCMSOriginatorIDOrKey_OriginatorPublicKey = 2
341} NSSCMSOriginatorIDOrKeySelector;
342
343struct NSSCMSOriginatorIdentifierOrKeyStr {
344    NSSCMSOriginatorIDOrKeySelector identifierType;
345    union {
346	CERTIssuerAndSN			*issuerAndSN;		/* static-static */
347	SECItem				*subjectKeyID;		/* static-static */
348	NSSCMSOriginatorPublicKey	originatorPublicKey;	/* ephemeral-static */
349    } id;
350};
351typedef struct NSSCMSOriginatorIdentifierOrKeyStr NSSCMSOriginatorIdentifierOrKey;
352
353struct NSSCMSRecipientKeyIdentifierStr {
354    SECItem *				subjectKeyIdentifier;
355    SECItem *				date;			/* optional */
356    SECItem *				other;			/* optional */
357};
358typedef struct NSSCMSRecipientKeyIdentifierStr NSSCMSRecipientKeyIdentifier;
359
360typedef enum {
361    NSSCMSKeyAgreeRecipientID_IssuerSN = 0,
362    NSSCMSKeyAgreeRecipientID_RKeyID = 1
363} NSSCMSKeyAgreeRecipientIDSelector;
364
365struct NSSCMSKeyAgreeRecipientIdentifierStr {
366    NSSCMSKeyAgreeRecipientIDSelector	identifierType;
367    union {
368	CERTIssuerAndSN			*issuerAndSN;
369	NSSCMSRecipientKeyIdentifier	recipientKeyIdentifier;
370    } id;
371};
372typedef struct NSSCMSKeyAgreeRecipientIdentifierStr NSSCMSKeyAgreeRecipientIdentifier;
373
374struct NSSCMSRecipientEncryptedKeyStr {
375    NSSCMSKeyAgreeRecipientIdentifier	recipientIdentifier;
376    SECItem				encKey;
377};
378typedef struct NSSCMSRecipientEncryptedKeyStr NSSCMSRecipientEncryptedKey;
379
380struct NSSCMSKeyAgreeRecipientInfoStr {
381    SECItem				version;
382    NSSCMSOriginatorIdentifierOrKey	originatorIdentifierOrKey;
383    SECItem *				ukm;				/* optional */
384    SECAlgorithmID			keyEncAlg;
385    NSSCMSRecipientEncryptedKey **	recipientEncryptedKeys;
386};
387typedef struct NSSCMSKeyAgreeRecipientInfoStr NSSCMSKeyAgreeRecipientInfo;
388
389#define NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION	3	/* what we *create* */
390
391/* -----------------------------------------------------------------------------
392 * KEK recipient info
393 */
394struct NSSCMSKEKIdentifierStr {
395    SECItem			keyIdentifier;
396    SECItem *			date;			/* optional */
397    SECItem *			other;			/* optional */
398};
399typedef struct NSSCMSKEKIdentifierStr NSSCMSKEKIdentifier;
400
401struct NSSCMSKEKRecipientInfoStr {
402    SECItem			version;
403    NSSCMSKEKIdentifier		kekIdentifier;
404    SECAlgorithmID		keyEncAlg;
405    SECItem			encKey;
406};
407typedef struct NSSCMSKEKRecipientInfoStr NSSCMSKEKRecipientInfo;
408
409#define NSS_CMS_KEK_RECIPIENT_INFO_VERSION	4	/* what we *create* */
410
411/* -----------------------------------------------------------------------------
412 * recipient info
413 */
414
415typedef enum {
416    NSSCMSRecipientInfoID_KeyTrans = 0,
417    NSSCMSRecipientInfoID_KeyAgree = 1,
418    NSSCMSRecipientInfoID_KEK = 2
419} NSSCMSRecipientInfoIDSelector;
420
421/*
422 * In order to preserve backwards binary compatibility when implementing
423 * creation of Recipient Info's that uses subjectKeyID in the 
424 * keyTransRecipientInfo we need to stash a public key pointer in this
425 * structure somewhere.  We figured out that NSSCMSKeyTransRecipientInfo
426 * is the smallest member of the ri union.  We're in luck since that's
427 * the very structure that would need to use the public key. So we created
428 * a new structure NSSCMSKeyTransRecipientInfoEx which has a member 
429 * NSSCMSKeyTransRecipientInfo as the first member followed by a version
430 * and a public key pointer.  This way we can keep backwards compatibility
431 * without changing the size of this structure.
432 *
433 * BTW, size of structure:
434 * NSSCMSKeyTransRecipientInfo:  9 ints, 4 pointers
435 * NSSCMSKeyAgreeRecipientInfo: 12 ints, 8 pointers
436 * NSSCMSKEKRecipientInfo:      10 ints, 7 pointers
437 *
438 * The new structure:
439 * NSSCMSKeyTransRecipientInfoEx: sizeof(NSSCMSKeyTransRecipientInfo) +
440 *                                1 int, 1 pointer
441 */
442
443struct NSSCMSRecipientInfoStr {
444    NSSCMSRecipientInfoIDSelector recipientInfoType;
445    union {
446	NSSCMSKeyTransRecipientInfo keyTransRecipientInfo;
447	NSSCMSKeyAgreeRecipientInfo keyAgreeRecipientInfo;
448	NSSCMSKEKRecipientInfo kekRecipientInfo;
449	NSSCMSKeyTransRecipientInfoEx keyTransRecipientInfoEx;
450    } ri;
451    /* --------- local; not part of encoding --------- */
452    NSSCMSMessage *		cmsg;			/* back pointer to message */
453    CERTCertificate *		cert;			/* recipient's certificate */
454};
455
456/* =============================================================================
457 * DIGESTED DATA
458 */
459struct NSSCMSDigestedDataStr {
460    SECItem			version;
461    SECAlgorithmID		digestAlg;
462    NSSCMSContentInfo		contentInfo;
463    SECItem			digest;
464    /* --------- local; not part of encoding --------- */
465    NSSCMSMessage *		cmsg;		/* back pointer */
466    SECItem			cdigest;	/* calculated digest */
467};
468#define NSS_CMS_DIGESTED_DATA_VERSION_DATA	0	/* what we *create* */
469#define NSS_CMS_DIGESTED_DATA_VERSION_ENCAP	2	/* what we *create* */
470
471/* =============================================================================
472 * ENCRYPTED DATA
473 */
474struct NSSCMSEncryptedDataStr {
475    SECItem			version;
476    NSSCMSContentInfo		contentInfo;
477    NSSCMSAttribute **		unprotectedAttr;	/* optional */
478    /* --------- local; not part of encoding --------- */
479    NSSCMSMessage *		cmsg;		/* back pointer */
480};
481#define NSS_CMS_ENCRYPTED_DATA_VERSION		0	/* what we *create* */
482#define NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR	2	/* what we *create* */
483
484/* =============================================================================
485 * FORTEZZA KEA
486 */
487
488/* An enumerated type used to select templates based on the encryption
489   scenario and data specifics. */
490typedef enum {
491    NSSCMSKEAInvalid = -1,
492    NSSCMSKEAUsesSkipjack = 0,
493    NSSCMSKEAUsesNonSkipjack = 1,
494    NSSCMSKEAUsesNonSkipjackWithPaddedEncKey = 2
495} NSSCMSKEATemplateSelector;
496
497/* ### mwelch - S/MIME KEA parameters. These don't really fit here,
498                but I cannot think of a more appropriate place at this time. */
499struct NSSCMSSMIMEKEAParametersStr {
500    SECItem originatorKEAKey;	/* sender KEA key (encrypted?) */
501    SECItem originatorRA;	/* random number generated by sender */
502    SECItem nonSkipjackIV;	/* init'n vector for SkipjackCBC64
503			           decryption of KEA key if Skipjack
504				   is not the bulk algorithm used on
505				   the message */
506    SECItem bulkKeySize;	/* if Skipjack is not the bulk
507			           algorithm used on the message,
508				   and the size of the bulk encryption
509				   key is not the same as that of
510				   originatorKEAKey (due to padding
511				   perhaps), this field will contain
512				   the real size of the bulk encryption
513				   key. */
514};
515
516/*
517 * *****************************************************************************
518 * *****************************************************************************
519 * *****************************************************************************
520 */
521
522/*
523 * See comment above about this type not really belonging to CMS.
524 */
525struct NSSCMSAttributeStr {
526    /* The following fields make up an encoded Attribute: */
527    SECItem			type;
528    SECItem **			values;	/* data may or may not be encoded */
529    /* The following fields are not part of an encoded Attribute: */
530    SECOidData *		typeTag;
531    PRBool			encoded;	/* when true, values are encoded */
532};
533
534#endif /* _CMST_H_ */